IGF 2019 – Day 2 – Raum V – WS #341 Roadmap for confidence building measures (CBM) in cyberspace

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR:  Hi, everyone.  Welcome to our session on Confidence Building Measures in Cyberspace and the road forward for this area.  I want to welcome everybody in the room.  I also want to welcome people online that are participating remotely.  We have an online moderator on site so if you have questions, please type them into the tool and he will make sure we know the questions and are able to answer them.  The conversation today will look at how far have we gotten in terms of confidence building measure for cyberspace, why they are important as well as sort of what is the path forward and what is the path forward for multi‑stakeholder engagement in terms of confidence building measures.

I'm hopeful that we will have an interesting and engaging debate both here on the panel and with the audience.  I have a number of questions, but as you listen to the presentations, if you have questions, think about them and after this first round of remarks, level set the discussion I highly encourage you to raise your hand and participate.  The idea is for this to be a conversation amongst us all.  With that, I want to thank all of our panelists here and I will ask Nikolas Ott from the organisation for security and cooperation in Europe to start us on the way and give us an overview of what confidence building are and what work he and the OEC has been doing in this space.

>> NIKOLAS OTT:  Thanks a lot.  It's great to have slides and realize that you have slides only because you have the slides and people want to get rid of them, so we will quickly go through them.  They help me stay on track so I will not waste your time too long.  Let's kick things off.

We in the OEC have quite an interesting mandate that I will go through in the next couple of minutes.  For those of you that do not know the OEC, we are the world's largest regional security organisation with 57 participating states in North America, Europe and Asia, and our focus is pretty much on enhancing stability, peace and democracy for more than a billion people in those regions.

Some of you might know us from our election observation efforts, the special mission in the Ukraine or our conflict prevention and mediation efforts.  Now, so understand where sort of our approach towards CBMs is coming from we have to look back into the 1970s where things kicked off.  As the multilateral Forum for countries east and west during the cold war, which ultimately ended up with the Helsinki find act in 1975, which is sort of the foundational layer to our work and also sets the framework in which we observe and see how we contribute to enhancing being a platform for a cooperation amongst states.

Based on this Helsinki final act, we approached security related issues through three dimensions, the political military dimension, economic and environmental, and human rights perspective.  And this helps us to sort of frame discussions along those lines and figure out how also these three dimensions compliment and support each other.

Moreover, and this is quite important the OEC works on a basis of political consensus.  So decisions are not taken, are not agreed upon if there is opposition or dissent by any of our participating states.  We are not entirely new to the CBMs.  When we look at conventional arms control, the OEC has been quite active in enhancing our CSBMs, so the S stands for stability measures there.  That's added.  And what participating states agreed upon was to translate this approach toward modern day security challenges, and, therefore, apply sort of the concept of confidence building measures into cyberspace.

This slide shows you a few pictures to remind everyone in the room and most of you know already we are not operating in a political vacuum.  So this is happening with an environment of tensions, of conflict, of disagreement and so the CBMs try to address that and figure out how within this political realm we are operating in we can enhance relations between states.  Before I mention what our CBMs entail, I wanted to quickly put this on screen so that people are aware of this interconnectedness between the regional approaches on confidence building measure and what the United Nations has been doing over the past couple of years.  The UNGGE four pillar approach is quite helpful for us to stay on track and make sure our efforts are lined up with what is happening on a global level.  The idea is to show you the three clusters on how we approach our CBMs.  We have two comprehensive sets of CBMs adopted in 2013 and 2016 and here you can see all 16 of them clustered in three different clusters.

The first one is posturing which can be broadly categorized as CBMs that help states to read each other and understand each other.  Communication CBMs that help states to enhance their information sharing, their means of communications established in communication lines and thirdly preparedness which are CBMs sort of designed to promote national readiness on this matter.

I will give you concrete examples of those in a minute.  Before that I wanted to quickly put this question out there because we received this question quite often.  I think it's important to address this right away is why do we even have regional organisations address these matters via capacity building or CBMs.

This is where sort of our unique mandate but also our expertise in the field comes along.  It's not just the OEC, but the regional Forum and the Organization of American States that are also engaged in the space.  We as entities that do a lot of practical work underground have a fairly good understanding of what is happening there and how this reflects and can be incorporated into international discussions.  We, therefore, talk quite often as sort of this incubator and implementer approach, meaning an incubator for new ideas and practical efforts that relate to international law and norms, and as implementer of agreed upon language, like the UN GGE reports that obviously are on a very high level, but then obviously need to be implemented and translated into more practical means to be effective in their own way.

Now, to complete my introductory remarks I thought I would finish off with three concrete examples of capacity building, trust building and awareness building.  When it comes to capacity building, the way we approach this is the OEC Secretariat started a new initiative called CBM implementation roadmaps where we go and meet counterparts in participating states who are interested in receiving customized support in figuring out how they can take advantage of our CBM portfolio, incorporate them into international policy structures, integrate them into their national procedures and institutions to not just have them out there as an option, but really have a coherent way of making use of them.

The second example I wanted to give you on trust building is our points of contact network, which serves as a community among policy and technical experts that are not just brought together from time to time, but go through fictitious scenarios together.  We do tables of exercises for them and we bring them together because we see that trust building is essential, but it only works if we bring back sort of the human component and make sure that people meet, engage, and go through challenges by themselves.

By now we do unannounced communications checks so sometimes we surprise our participating states with a long email and lots of tasks and suddenly they have to respond to this in 72 hours.

They do it very diligently, but then sometimes we hear that the task might have been, could have been simpler, but we are happy to challenge them a little bit to figure out how they can work on that effectively.  The last thing I wanted to say as an example was on awareness raising where we go into the field and we conduct subregional workshops where we bring together policy makers from a specific region and help them understand how within their own work CBMs but also norms and other components of the four DG pillars compliment they are work, make their lives easier and how the pillars relate to their national responsibilities.

So overall, you might think that the CBMs itself might be narrow, but within the realm they actually do provide a crucial component to the reduction of conflict.  They may not make front newspaper coverage but among diplomats they are greatly appreciated and help them navigate a landscape that is sometimes dominated by a low level of trust or difficult or contentious relationships.  We as the Secretariat are interested in implementing decreed upon norms and helping states to figure out how to take most out of the language that has been agreed upon.

You will see when you go to the CBM portfolio and look at the language that it might sound trivial, easy.  That's because CBMs are designed to start with less contentious issues that offer a starting point that actually do help find agreement on things that everyone agrees upon and then from there you can walk towards more ambitious goals in that sense.

I will leave it at that, and I'm looking forward to our conversation and questions from the audience.

>> MODERATOR:  Thank you.  I think that was a useful sort of overview of the background of how the world in reality, you know, OSE as an example, but mover from confidence building measures in your traditional not online environment to this space and gave some examples of how this might work.  With that, I want to turn to Caroline Greer, who is head of the European public policy at CloudFlare to give us a little bit of overview of the landscape that we see online today and why we actually need confidence building measures and the industry perspective of how we could effectively increase stability in cyberspace.

>> CAROLINE GREER:  Great.  Thanks very much and thanks for the invitation to join this panel.

CBMs is a new acronym for us, I must confess for me certainly but definitely the thrust of what you are saying makes a lot of sense.  So I guess to place us in this debate as a private sector actor, as a company, for those not familiar with CloudFlare we are a web security company formed in 2010.  So we currently protect about 20 million plus web properties around the world and we are present in some 90 countries across 194 cities.  So we really have a globally distributed network.

To give you an idea of the sense or the scale of the cyber-attacks that we are confronted with which I guess are at the most simple level DDOS attacks growing up to more sophisticated attacks, in quarter three of this year we blocked on average 72 billion cyber-attacks daily each day so that's the scale of things we are dealing with and they range from basic attacks up to super sophisticated attacks.

We are a member of the cyber tech accord along with Microsoft and we are a signatory of the Paris call which was signed November last year and brought private sector actors and others together to kind of talk about house to deals with malicious attacks online and how to deal with accessibility and integrity of the net and to look at electoral processes among other things.

I guess where we find ourselves in this discussion is to the is extent, I mean, we have a full range of customers ranging from free users right up to Government entities.  To the extent that we don't talk about customers specifically, but we are protecting web properties of Governments, of Parliaments, of stock exchanges, and national regulatory agencies, election websites.  So to the extent that we are protecting these web properties from cyber-attacks, particularly in states where, perhaps, the Democratic situation is shaky, let's say, or where there is a national crisis ongoing, we can find ourselves inadvertently as a private sector actor in the middle of some sort of geopolitical situation where one of our customers is being attacked in the context of a geopolitical situation.

And what do we do as a private sector actor in that case?  So it's kind of unclear what the playbook is there.  Obviously we see, you know, things that are happening on our network, but as an Internet infrastructure company, as a security company, we don't take sides.  Politics is not our game, we are content neutral.  So it's, you know, it's clear and a little confusing as to what we should be doing in that situation.  Obviously we have to protect our customers as well and user trust is paramount for us, so the type of information that we could share is perhaps limited, but to the extent we are also getting questions from states entities as to what are you seeing in this situation, what kind of level of information sharing can we give?  What are the rules in that situation?

So that's something that we think about a lot, and we are not really in the game necessarily of attribution.  I think it's a lot of difficulties in dealing with attribution, but for sure we see some things that are happening.  So for us, I think that's probably the biggest discussion today, what is the role of a private sector entity who inadvertently ends up in the middle of some sort of state actor attack and how do we address that?  So those would be the introductory remarks, willing to talk about that a bit further, but that sets us on the scene of this debate if that's helpful.

>> MODERATOR:  Thank you.  That is very helpful.  I think it's a very interesting perspective to take and to think about as we go forward, because in reality, private sector actors are both, you know, the developers, the operators, and a lot of the times the defenders, and sort of the targets of these nation state efforts, and but we don't necessarily participate as much as in confidence‑building measures, in norms conversations at all, and I know that, and this is one of the questions I will have for everybody, I know part of the conversation next week at the UN at the open Working Group conversations will really focus on how do you build confidence building measures not just between states but actually between the different stakeholders, I guess, multi‑stakeholders, though I don't think that's a word, between industry and Government, between civil society and industry, between civil society and Government to drive this discussion forward.

I think maybe I want to turn to Conrad who comes from the sing spore cybersecurity agency.

Singapore has been leading in the Asia‑Pacific regions in this space, and I know you are highly active participants at the UN conversations, and maybe, you know, we have mentioned it here, I have, Nicholas has.  Could you tell us about what you are doing as a country, but also what is happening at the UN level to drive this conversation forward?

>> SITHURAJ PONRAJ:  So thank you.  I have a big job because I feel I don't just represent Singapore, but I also represent my colleagues in the ASEAN Regional Forum.  The ASEAN Regional Forum on ICT security is Co‑Chaired by Singapore, Malaysia and Japan.  And it's a grouping, not just made up of the ten association of Southeast Asian country nations grouping which is ASEAN, but we are also privileged to have ten other people, ten other countries including the U.S., Russia and China.

So it's an interesting perspective, and then we have seven more, so there are 27 countries in the ASEAN Forum for ICT security.  I just wanted to situate where we are in terms of the conversation in Southeast Asia, and then I will speak a little bit about the UN multi‑stakeholder consults next week.  In ASEAN, I think as it can be seen, it is not natural for sometimes to have someone from the cybersecurity agency to speak about digital diplomacy, but that's a reality, because the truth is we have seen in ASEAN countries that the cybersecurity is an enabler of economic progress.

It is something that makes the Smart nation initiatives, the initiatives, the digital future possible.  So the ASEAN Ministers have since 2016, 2015 have spoken about the importance of cybersecurity.  They are like brakes on a sports car.  If you have a sports car and you want to go fast, it's good to have good brakes.  If not, you will be going very fast, but you will not be able to stop.

So what happened is we received a very clear guidance on this in 2018 during Singapore's Chairmanship.  The ASEAN leaders for the first time issued a statement on cybersecurity cooperation.  Many of the things that Nicholas spoke about and the UN four approaches pillar for cyber stability, namely norms, rules and principles, international cooperation, international law, application of international law as well as CBMs were mentioned in the statement as key things that ASEAN countries should work on, but also in a multi‑stakeholder way.

And so just to add before I go into CBMs, during the ministerial Conference on cybersecurity in 2018 the Ministers to ASEAN, ICT, and cybersecurity Ministers agreed to subscribe officially, formally, in principle to the eleven norms of state behavior in cyberspace that were contained in the 2015 UN GGE report.  And this year's meeting in Singapore they decided to set up a working committee to come up with a roadmap to implement these norms.

So where do confidence building measure fit in?  We sit in IAF, ICM and ICTs, and our perspective has been that confidence building measures are just so important in a region of ten countries which are so diverse, not just in capacity, but also in terms of history, in terms of language, in terms of values, that confidence building measures becomes even more urgent and important.  Taking from Nikolas' point and the point made earlier that confidence building measures are a practical way of implementing cooperation.

So we have come up with five proposals which are being implemented, but they were understood from the fact that the landscape, the cyber landscape in each country is very different.  For example, when we, when Singapore wanted to host a Conference on cybersecurity for ASEAN Ministers, our Minister invited the ICT Minister in each country, and we also sent an invite to whomsoever it may concern, because truly there were different people looking at cybersecurity, different Ministers looking at cybersecurity.

So when we started the efforts to CBMs, you will notice that our five CBM proposals were meant to look at practical ways ever increasing trust and confidence in a very fragmented or different landscape where different countries have different ways of organising themselves for cybersecurity.

So we worked with our partners and we worked with partners like the EU, with Australia, with, you know, as a region, and we have proposals on points of contact, so we have approved the points of contact directory where each country is now exchanging points of contact who can be contacted.  We have a sharing of information, domestic laws, national policies and strategies, proposal and protection of critical infrastructures, awareness raising information on information sharing emergency responses, and also on the principles of building security in ICT's use.

Why these are important is because these are areas in which we can quickly bring the whole region together to speak to each other, share our experiences, share our perspectives and hit the priorities that are necessary.  But the key point here, and this has been reflected in our discussions, and this is where the multi‑stakeholder approach is important is all of this works in a region which is very diverse only because there is a concerted and coordinated effort at capacity building.

There needs to be capacity not just in technical matters, in operational matters, and I think that my co‑panelist spoke about the incident response, the need to understand threats is just so important, and this is something we do, but it's also important to build capacity in things, in areas like strategy, in legislation, in setting up a CERT and giving it a mandate.  So the sharing of information becomes very important.  The sharing of strategies becomes very important.

So I think that in Bangkok we have a centre which is run by Thailand and Japan, the ASEAN centre on capacity building.  They have invested $30 million on a Center of Excellence for cyber capacity building.  And we build capacity for countries in the region develop their own governance models, to build their ability to work within their own systems, to engage with each other, with other countries in the region internationally, but also with industry.

So many of our capacity building efforts I'm happy to say are not run by Government trainers.

We work with many different companies, Microsoft, and others as well as civil society, NGOs, universities to deliver capacity building because the perspective that multi‑stakeholders bring to this conversation is important.  I will just end off by talking about the UN intersessional stakeholder consultation next week which will happen from Monday to Wednesday in New York, Singapore will be Chairing it under the Chair of the Swiss and the OEWG.

I think one of the key facts which has been brought up is that we would like to hear how multi‑stakeholders can support the efforts, the discussions which have already gone on in the UN to build rules‑based cyberspace and to equip countries with the structures and the thinking and the strategies necessary to continue building a rules based cyberspace that inspires trust and confidence and it's all built on the basis that when we have stability in cyberspace, then it is possible to not just economic progress, but better living standards for the 630 million people living in ASEAN today.  Thank you.

>> MODERATOR:  Thank you so much.  I think that really touched on a lot of area that's influence this space and I think they are really critical that we don't forget.  I think it's the same in OECE.  I think the diversity of stakeholders that talk to each other, even Government to Government is dramatic.  In your region, Singapore versus Laos are very different levels of ICT development in OECE, Belgium versus Belarus are probably fairly different so thinking about how do you ensure that you lift everybody up going forward is something to definitely think about as we go into this conversation.

I also see, I think, the global Forum for cybersecurity expertise somewhere at the back of the room, I will encourage them to chime into the discussion later on.  With that, I want to turn to see the European Union perspective on this.  We have Camille Gufflet here from the External Action Service who will hopefully tell us a little bit about capacity building efforts and confidence building measure efforts both in a slightly more cohesive environment and sort of how does that differ, and sort of give a European perspective for the future.

>> CAMILLE GUFFLET:  Thank you very much, I'm Camille Gufflet.  CBMs were not really.  I was working on disarmament and arms control, so it's has been interesting to see how CBMs have been translated in the cyber domain and how they can be effectively implemented.  If for the EU and Member States there is a clear decision that CBMs are a practical means for conflict prevention and building effective mechanism in cyberspace, but elsewhere is essential to reduce the likelihood of conflict.

So my presentation will focus on three points of efforts, first internal transparency in the European Union region, and then what are the corporate measure we are implementing in our external relation, but how we contribute to the wider stability label.

First, about transparency and reliability, there are measures that provide insight into states' activities and they contradict to misinterpretation of action and escalation of conflict.  So in that regard, the EU aims to strengthen first its cyber defenses and resilience, also to increase awareness of businesses and citizens and thirdly to promote increased transparency on cybersecurity issues.

So the EU response is first and foremost directed at implementing its own cyber resilience and as adopt in 2017 a joint coalition on resilience defense to build stronger cybersecurity for the EU.  The centre piece of this effort is the directive that you heard about.  It's the first EU-wide legislation on cybersecurity, and it includes member state preparedness by mandating the establishment of national strategies on security of networks, and information system.

It also includes the participation of the businesses that will have to take appropriate security measures and to notify serious incidents to the relevant authorities.  We are also taking other internal measures on adopting communication from the commission on securing three for election.  Going forward we agreed the EU cybersecurity that translates the measure of the internal agency in charge of cyber, the measures of the EU to address cyber threats and also establish a framework for cyber certification.  So to group hold the level of all EU Member States on the security of their products and services.

So this model is evolving, and this is a good basis to engage with third partners, besides strengthening our own resilience.  We aim to strengthen global resilience.  Global resilience is crucial element to maintaining international peace and security, and it reduced also the ability to perpetrators to use ICTs for malicious purposes and to strengthen the ability of all states to effectively respond to and recover from cyber threats.

So the third insight into the EU activities that are concrete steps to sharing best practices and also facilitating effective dialogue.  I would like to focus more on the comparative measures that are efforts toward implementing effectively CBMs.  So the EU and to promote collaboration between states based on a mutual commitments which is essential to developing the trust required for promoting an open, free, stable and secure cyberspace, we are working towards effective cooperation among the international community.  We deepen regular dialogue partners to develop and implement effective confidence building measures, but also to demonstrate to settle international disputes by peaceful means.

We have been engaged in the development and implementation of two sets of YBMs in the OSC, we are participating in the Forum, we are cosponsoring with Singapore a CBM on the protection of critical infrastructure.  So first, those are essential steps to contribute to the security and stability in the cyberspace.

Clearly dialogue contributes to building trust and confidence for exchanging best practices, promoting human rights, democracy and the rule of law, improving security, but as well as attack willing issues of common concern to better prevent protection that relate to malicious cyber activities in that regard, the EU did a framework for diplomatic response to mitigate cybersecurity threats and also to look for greater stability in this international relations, and this EU cyber tool that we present also includes as a very first step in preventive and cooperative measures, implementation of effective CBMs.  So it's not only a response to the threat, but also a toolbox to have long‑term stability.

In all of our efforts we contribute though the non‑state actors that work in synergy with the joint efforts of Governments, also, therefore, the private sector, civil society, technical community.  And in that regard, EU Member States have supported the privacy and security in the cyber, and its commitment, and we note that this initiative came at a time last year when the international cooperation and multilateralism was being challenged more than ever.

I would like just briefly to also touch upon the stability and the capacity building efforts of the EU because besides reducing the likelihood of conflict, the European Union along with its Member States are willing to build stability.  We promote the rules‑based international effective multilateralism and governance.

There is this respecting international law and upholding the Constitutions that international law applies in cybersecurity is essential, and it comes with the implementation of responsible norms of responsible state behavior, but as it was also mentioned in the presentation, it's part of a whole global measures that is working with each other including the CBMs.

In terms of capacity building.  We think that providing assistance is essential for international security and the EU has invested substantially in strengthening the cyber capacities of third countries.  We are contributing to the different organisations to bilateral relation, but also to new centre has been mentioned, the centre of Singapore and ASEAN Center of Excellence of cybersecurity.

But more the cyber diplomacy part I just wanted to mention the EU Cyber Direct project which supports our efforts, and consequently contributes to the development of secure, stable and rights based order, and they are supporting our efforts and dialogue with strategic partners like Brazil, China, India, Japan, South Korea and the United Nations but also or worth on CBMs in the regional regions in Latin America, Asia Pacific as well as USA.

So thank you very much, and happy to answer any questions.

>> MODERATOR:  Yes, thank you, and I think with that we did I worldwide tour of both the private sector and different regional perspectives on the world of CBMs.  I actually thinking about something you said at the beginning of the presentation wanted to ask you, Camille, but obviously anybody on the panel feel free to chime in, how is cyber and CBMs for cyber different from the traditional environment?  I think we have heard a few examples, obviously the industry role is one of them, but I think the challenges with attribution probably apply more in this space than in others, but what has your experience been in.

>> CAMILLE GUFFLET:  So I will say that what I have noticed is that the CBM messages are not so different.  This is based on efforts in transparency, sharing information, opening lines of communication, facilitating cooperation, fostering and endorsing and protecting the infrastructure but also responding to threat.  So this is just the degree of implementation that is different, the kind of actors that are connecting together I would say.  Also in regard to the private sector role it's clear that in this interconnected cyberspace we need to be involved with the private sectors through this Forum.

We said that the open‑ended Working Group is CBM in itself, but I will say that IGF as well and in the set of CBMs in the OSE there is this compensation of the public and private partnership, so it's been a long time also in the view of the Member States that they need to engage with the private sector that are owning most of the cyberspace.

>> NIKOLAS OTT:  Yes, we do have explicit reference on public‑private infrastructure It comes to critical infrastructure protection within our set of CBMs.  The one thing I wanted to mention is not so much how the CBMs are designed but how they are implemented and incorporated.  There is where we see that it's not just sort of a military to military or MFA to MFA, but a whole of Government and to certain extent a whole of society responsibility of to figure out how these agreements made across the globe can be put in practice.

This is what we see over and over again when we build in our capacity building efforts that is quite useful to bring non‑governmental experts into the discussions to figure out how this can be done effectively because the expertise is there, the knowledge is there, it's just a matter of how to connect the dots.

Therefore, this also feeds into our whole discussion about capacity building which is becoming more and more important, and I'm glad that he with have GFC representatives in the room.  So if you ever want to learn how capacity building is coordinates in a really good way in the back there are experts.

>> I think, for example, even if you don't look at it from a public‑private partnership in a very purist way, the idea that even from a security operational perspective, you need to work with the critical information infrastructure operators who are private, and one of the key problems which I think Caroline spoke about is the need to share information in a timely and relevant way and I think that that's where it's different when it's between states previously, and here the confidence is built not just between states but it's also built with the critical information infrastructure people, the companies which are monitoring threats and we need to figure out a way to open lines of communication in a timely and relevant way.  And that all adds to the confidence that's built.  And that's the real challenge before us today.  I think that's how its qualitatively different.

>> MODERATOR:  I would agree.  I think maybe building on that and sort of, again, inviting others to chime in, is given the complexity of these conversations and, you know, oftentimes we have seen CBMs implemented within regional groups and organisations.  Sometimes they are bilateral.  Today with the industry input and civil society input to an extent, how do you ‑‑ do you build these relationships just within a country first and then you bring it forward or do you build them continuously build them at an international level?  What would you think is a good path forward?  Anyone.

>> CAROLINE GREER:  At least from a private sector perspective, the directive, the information systems security in the EU has been useful with building relationships with Governments we are an operator of essential services defined under that directive for some of our services so those are brand new relationships with regulators nationally.  Admittedly the directive is sort of transposed differently in each country and it's challenging to find out what countries are doing nationally, but that's a really great starting point for us and it's a great relationship that we now have built up in several countries where we can talk about the attacks we are seeing and build a trusted relationship such that we can share that information that we have, yes.

>> NIKOLAS OTT:  I think within our approach toward the CBMs, we see that the CBMs serve as encouragement for states to engage with the private sector in very concrete efforts, but we as Secretariat don't directly engage with national entities or private sectors that are engaged in a certain country.  We see there is a lot of stimulating discussions between the national governments and private sector and civil society as active in the field, and that is oftentimes brought back and channels through national representatives in discussions within the OEC.

>> MODERATOR:  I think with that it brings me back to capacity building, I think, because our experience has been, and I think that's obviously a fairly straight forward, you can kind of almost, you get from the industry what you put in.  You need to understand what questions to ask.  You need to understand, you need to also be able to prioritize risk to a large extent.  How do you ensure that going forward we can equip countries in the space.

You talked a little bit about the centers of excellence.  You talked about the EU efforts, but how do we equip countries around the world, and also actually how do you equip industry around the world so it's not just a few large sophisticated providers that can engage with this effort that to be able to have that conversation.

>> SITHURAJ PONRAJ:  I think the two things we have realized and we realize this because we make mistakes and not because we were correct.  And the first is the understanding that there are many different levels of capacity building needed.  And something that we decided not to do from the very beginning is something we call hit‑and‑run capacity building.  Let me explain.  So, for example, we used to have three or four days of capacity building maybe on forensics or malware testing or anything.

What does it mean at the end of four days?  What do you tell the Minister who is sending his people, congratulations the person who attended is now an expert?  It can't be.  So one of the key things is what we have tried to do is work in partnership with industry and Interpol and other organisations to say that we will have sustained three‑year program with metrics so we can say to that person, the Ministers or whoever is sending their officials that at the end of three years, and so that's what Singapore does, we insist that all programmes are three years, we work with industry for three years to design programmes so at the end of three years we can tell them, look, your official is not going to be able to do the sort of things that you think he is able to do, but he is able or she is able to do some of these things.

So we have taken on a responsible way of reporting.  One of our challenges is then to figure out how to have metrics.  So we are looking at GFCE.  We are great supporters of GFCE to come up with metrics and we can't do this without industry, because industry has worked out many of these programs, many of these expertise levels.

Now, to bring the industry into the conversation, to help then facilitate, so I was going to answer your previous question.  That's how regional organisations can play such a great role, because we can sort of tap on the synergies and to bring the whole region, and to come up with metrics which individual countries may not be able to standardize for themselves because as you said, the capacities are so diverse.  One of the key things I thought the quick win is to bring industry and multiple stakeholders to actually reflect on sustained coordinates capacity building and concrete outcomes and that's powerful.  What we tell all of the industry that come and take part in Singapore capacity building programmes is actually we would like to see an outcome from the country representatives that come for capacity building thank you very much for the training, by coming for this training we realize there is so much more to do, we would like to invite you to our country to continue the training.

So this is how we try to do it now.  How successful, I will tell you in three years' time.

>> MODERATOR:  Good luck, I would say.  I think maybe that almost brings me back to sort of, so what are, we talked about metrics.  What are some good examples of capacity and confidence‑building measures that work.  How do you make them work?  What are some of the best practices there?  And I think from what I am hearing a lot of it is continued engagement and literally working on small projects together.  Am I right?  What have your experiences been?

>> NIKOLAS OTT:  I think you are hitting in the right direction.  We are exactly looking at how we can find means to encourage states to engage in this last amount of measures be it on coordinated mobility structure and figuring out how they can learn from each other's best practices, critical infrastructure protection, sharing strategies and explaining to each other how sort of their national governance structures work.  I think just being a platform and bringing the stakeholders together who might not agree on a lot of things but ultimately have to work with each other and figure out how to sort of find agreements.  That is quite helpful.

The one thing that we see is very much appreciated and is now also reflected by ASEAN and the OS is this point of contact network.  This is something that has been building and maturing over the last year, we see that there is very strong interest in moving this forward and establishing sort of a strong community amongst policy makers and this also I think goes to show how this issue that tended to be rather technical or focused in a niche is receiving more and more interest by diplomats and policy makers in a traditional sense to figure out how the issue can be incorporated in the broader international relations environment that those actors are engaging in.

>> CAMILLE GUFFLET:  That's an interesting question.  I don't really know if CBMs are really quantifiable because how to measure trust and cooperation between states.  So in terms of concrete efforts to implement them, I would say from the example of Nikolas and the communication check I guess we answer to the mandate we received, indeed the point of contact is really a first in concrete steps to establish a network to cooperate and share information.

The value of the original organisation is to have a platform with a schedule and times and meetings to share information, to have an agenda on, yes, what are we going to discuss, if we are more going to discuss national strategy, national developments, the need for capacity building to strengthen resilience in our own infrastructure.  So that will be concretely the efforts is to make, well, to make an effort to share information and to contribute to the discussion.

>> MODERATOR:  And maybe, again, building on that, how do you make sure that a lot of the conversation obviously take place diplomat to diplomat, but how do you make sure that you build the relationship not just at that level, but bringing it back down to the technical community, to the technical experts within the different Ministers, within the different tech companies as well?

>> CAROLINE GREER:  I think clear expectations and goal setting for these conversations are important.  What are we trying to get to?  So everybody has a clear understanding going into this initiative for discussion what we are trying to achieve.  Also from a private sector perspective, understanding what the possible limitations are private sectors, be that a lack of ability to look into attribution or also understanding that we have user trust issues as well of our own customers.

I think that's very important.  So understanding everybody's kind of positions and red lines if you want to call them that, is clear to build trust, to then progress with a conversation which hopefully we can achieve some goal and what is that goal.  So really kind of level setting from the outset is particularly important.

>> MODERATOR:  Thank you.  We have been up here for an hour which seems like it flew by at least to me.  So I have one question I will pose and then I will open the floor.  So encourage you all to think, I already see one question.  My question is we touched upon some of the CBMs that are different regions, different countries are using points of contacts, critical infrastructure protection.

What are some of the gaps you are seeing?  Do we just need to focus on implementing and continued implementation, rather, of existing agreements and CBMs are there areas that you see would be good for us to try and come up with new processes, new methods, new models?

>> SITHURAJ PONRAJ:  I will just make a point, and I think I have spoken to my colleagues and I think at some point while the regional efforts are good, I think CBMs can also be transferred between region and region, and points of contact, I mean, there is nothing really stopping you from expanding the points of contact and sharing the directory with OSCE, for example,.

The nature of the cyber domain is transboundary it doesn't make sense to just have CBMs within a region.  I think we have started working with our colleagues from the Organization of American States, certainly with the EU.

The OSCE, there is hope, but that's the gap.  The danger is really to feel satisfied we are coming up with measures for your own region, forgetting that this is a transboundary problem that doesn't respect the region.  Thank you.

>> NIKOLAS OTT:  I couldn't agree more.  The interregional part and figuring out how the experiences from the respective Secretariats help each other quite a lot in identifying the most effective ways in supporting the Member States within the regions but also then to exchange the points of contact networks, for example.  We really see that the appetite within the OSCE is very focused on implementation, on the existing agreements.  I'm sure you could find a lot of gaps or component that's could be added but in the end it is sort of a long laundry list of things that are crucial and have been identified and agreed upon, so, therefore, the existing capacities and structures by the countries are really used to now putting more meat on the skeleton of the CBM body in that sense.

>> CAMILLE GUFFLET:  From my perspective, I don't know if we can already receive the CBMs, any gaps on any, well, there will be always new CBMs that we can develop.  Indeed there is a need to have this interconnection between the regional organisation.  I see the value to have CBMs develop in the region because it certainly takes into account a common interest but also regional concerns.  So that is value of developed CBMs in original organisation and but then after two work together, but I would say that maybe what is missing is to have a clear idea of where we are in terms of implementations, not to have an idea of what is the degree, if it's working or not, but just where we stand, what are we doing, what is effective to build trust and transparency and stability.

I will say that this is also why the EU is promoting to advance a common understanding of the cyberspace stability and the application of international law, how concretely implement responsible state behavior in order to prevent conflict is to really share information and do be transparent.

>> MODERATOR:  Thank you.  With that I will hope it.  If you could introduce yourself as you spoke.  I don't think we have mics, but I will repeat your question.

>> AUDIENCE:  Thanks my name is Glenna Risson, incoming Professor of technology.  I have to say that this is my second IGF. This kind of panel is why I think that IGF is the best I have attended.  It is amazing that Microsoft sales force and the OSCE (?) but cybersecurity has made it clear that we need this kind of cooperation, but I put it to you that in the digital era, there are a lot of things, we have these transnational actors that are private that maybe need to have a different governance role.

So do you see the kinds of things that you are doing here have impact outside of security or do you think there is something special about security and so CMB is the only link?

>> MODERATOR:  Does anyone want to take that question?  Be.

>> SITHURAJ PONRAJ:  I think the consciousness is good.  Certainly as I said from the beginning, rhyme from a Cybersecurity Agency of Singapore.  It's a cyber agency, a security agency.  It's not really found in such panels previously, but I think as a Government, as Government, as regions, we realize that many of the adjacencies of cyber, I mean, we call is cyber adjacencies.  You might calling cyber a digital adjacency, but we need to be aware of all of these issues and the economic impact of security.

So I think the conversations that many Governments are having, many regions are having is how though balance the security and economic imperative and certainly you are correct that consciousness is growing.  What it will evolve into really depends on conversations like this.  That's my perspective.

>> NIKOLAS OTT:  In a way the CBMs are a baseline for much more.  We are trying to grow something here.  We put in the seeds and see whether it's going to be rows or we don't know yet, we have to figure out how we get there, but we are using something and sort of planting it together and working in a collaborative way and seeing whether there will be greater economic benefit or more international collaboration on disarmament or other things.

For me the key take away is increasing potential for greater cooperation.

>> CAROLINE GREER:  At CloudFlare the way we look at this, it seeps in democratic protection.  Companies like Microsoft was also super involved as well.  This goes to the core of our Democratic systems so for us it's key.  Yes, I mean, it sounds a little abstract at the cybersecurity level, but if you look at the impact on some of these initiatives on the democracy levels, they are so important and they impact all of us as a society.  So I think that's something to bear in mind as well.

>> MODERATOR:  Other questions in the room, otherwise I would add that I think it's slightly different because the stakeholders, the interlocutors are slightly different.  I think the cyber and security in particular, a lot on the perspectives that countries bring is your traditional national security military conversations, which is slightly different from what you hear in IGF typically.

It would be good, I see access now, it would be good to also sort of have a perspective on how civil society can engage in some of these conversations on CBM, on norms, because industry, there is a clear role.  I think everybody is realizing it and how do we ensure that we bring civil society in will be interesting as well.  Do you want to go?

>> AUDIENCE:  (Speaking off microphone)

>> MODERATOR:  I will repeat the question because the previous one wrote out for the online group, but I think this one didn't.  The question is what can we expect next week at the UN open‑ended Working Group intersessional as the first part, and the second part is I guess how does the industry play in that role, and sort ever will we participate?

>> SITHURAJ PONRAJ:  I will do the first part which is on the intersessional multi‑stakeholder meeting next week.  Thanks for the question.  I just want to preface that by what happened in September at the open‑ended Working Group, and I was there, and this is the first open‑ended Working Group dealing with cyber discussions at the UN, and we were all heartened by something we are hoping to repeat next week.  The first thing we are heartened by is the fact that I think there are close to is 120 to 130 countries that were there.

The countries took part in substantive discussions around the six areas of the mandate that the OEG was supposed to cover.  That has prefaced the idea of inclusive discussion, not just among a few countries which had things to say, but you had countries, developing countries speaking with such conviction.  So next week, what will happen is it will be three days of agencies from NGOs, civil society groups will be in the same room and they will be contributing ideas and thoughts on all six ears under the OEWG mandate.  I think this is a powerful opportunity as you have said, and if everyone brings the same energy that we have seen from players and countries which have hitherto not taken part, the OEG momentum will grow and we will hear perspectives because the states will be in there too, and they will be hearing what the multi‑stakeholders have to say about each one of these things.

So this he is what is going to happen next week, and as you have pointed out correctly, I think it's what each participant makes out of it as they bring into the room.  So with that, I will pass onto CloudFlare.

>> CAROLINE GREER:  My first answer is no.  We don't have the scale of some other large companies, we have three policy people globally.  We are really stretched.  I hope that will change because no doubt we see the importance and we would love to be there, it's just not possible for us at this time to attend this particular meeting next week.

>> MODERATOR:  I will build on that, I think we will obviously be there, but there are also, I think industry will be represented through a number of different industry bodies.  The U.S. Chamber of Commerce will be there, the international Chamber of Commerce will be there.  I think they are both preparing remarks and the cybersecurity tech accord will be speaking.  The cyber security accord is organising with the Irish Government so you can talk to either us afterward, but I agree, I think there is a need to raise awareness of the importance of this discussions, not just across the countries around the world, but industry at large as well for sure.

>> CAMILLE GUFFLET:  To continue certainly it will also answer the first question about the EU contribution to this kind of dialogue.  I will take again my example of this EU Cyber Direct project that is facilitating dialogue with civil society, technical users, academia and the private sector, not only with the European and Member States, but also with those NGOs from the third partners and so in that regard, they sponsor the participation of 29 experts in New York from all regions and it's providing framework of discussion to develop a bit more the diplomatic issues that will be developed during this international session because what we are noticing is that we need also to facilitate the discussion between business, private sector, civil society, and the Government to build, to go towards common understanding on what are really the issues for each respective actors.  Thank you.

>> MODERATOR:  Thank you.  Are there other questions in the room?  Comments?  Or online?  Go ahead.  Elayne, do you want to introduce yourself.

>> MODERATOR:  My name is Elayne Cortez and I'm a Professor at the institute of international studies.  Hi, my name is Elaine Korzak, visiting Professor at international studies in Monterey, California.  My question is we have heard about the open‑ended Working Group, a little bit about the GGE, how the UN process is unfolding.  I wanted to think a little bit further out.  Where do you see this whole conversation about confidence building measures, and adjacent to that, capacity building measures in ten years, seven to ten years from now?  Problem solved?  New problems?  Still the same problems?

>> MODERATOR:  That's a difficult question.  Who wants to take it?

>> NIKOLAS OTT:  The honest answer would be I don't know.  I think it really depends on how we make progress on our implementation, whether it's going to be additional sets of CBMs in the OECE or just stick with what we have.  That very much depends on how the participating states want to bring this further, how it fits within their own interests, within their own priorities.  So honestly, I'm not going to make a prediction because I don't know.

>> SITHURAJ PONRAJ:  If I may, so I'm feeling positive today.  It could be the breakfast, but I'm feeling positive.  I think when we started out in ASEAN in 2016, 2015, lots of things were being done, and I see that particularly such discussions and strategies so we have got three or four ASEAN countries already setting up a central cybersecurity agency, and it's not given that Governments will move so quickly to set up agencies so Indonesia, Malaysia, Brunei Darussalam, Philippines so even in organisation, POC directory it means there is a POC and in fragmented landscape it is difficult if there are many people in charge of cyber but slowly we are seeing people appointing agencies to be in charge of this discussion.  So that's from an organizational viewpoint.

So that’s important from CBMs.  You pick up a phone, if you don't know who to call, if you are calling four people saying four different things, you are stressed.  The second thing is I think countries in ASEAN, at least we are coming up with strategies. Malaysia will be introducing a strategy. Singapore has a strategy.  So these are positive steps forward which may look like tiny baby steps, but they are important in actualizing the CBMs, and then at the regional level, I have already shared about the ASEAN leaders doing things, agreeing on things, and I think with the help of Japan and Malaysia and Singapore, we set up the ISM and ICTs.

So I think the prognosis is positive.  I think the only unknown may be technology moving very quickly, and I think one of the things we need to square away is internally how to deal with cybercrime, cybersecurity, defense related cyber, so there may be new problems coming, but I don't think the present problems are unseen or unheard.  They are being dealt with.  So that's my perspective.

>> CAMILLE GUFFLET:  I would also not undermine the outcome, the news and I don't see how it could go, but CBMs is something, well, I studied history, and I'm all for preventing conflict and reducing tension it's not because we have a name of what is confidence building measures, that never exist before.  So if I look forward at CBMs will be and will continue to be one of the most effective measures to prevent conflict.  You mentioned the OEWG and the UNDG and I presume you want to have an idea of what could be the concrete outcome of this discussion, so I would say there is different level of CBM in multilateral organisations and bilaterally or maybe in the same way to be positive CBMs always existed and also implementing in a certain degree.

>> MODERATOR:  Thank you.  I feel this almost kind of is a good wrap up question, but I will ask all of our panelists to sort ever maybe provide a few concluding remarks just at the end to say thank you and sort of what are some of the things that most stuck with you in this conversation, and then we will slowly allow you to go get lunch.  Do you want to start on this side?

>> SITHURAJ PONRAJ:  I'm sorry, I got distracted by lunch.  So I just want to say that the most important thing is in our perspective is that there is a great need for capacity building.  It is something that needs to be done in a coordinated way.  The more we do capacity building, the more we realize we need to work with lots of people across regions and as well as industry, and as I said earlier, the GFCE is doing great work and we look forward to working with people and implementing and building capacity to implement both norms and CBMs so that's my thoughts.

>> CAROLINE GREER:  I guess I'm feeling relatively positive.  I see a lot of work at least in my own European world context, a lot of good initiatives happening.  We saw this with the elections this year in Europe, a lot of Member States and tabletop exercises and information sharing coming together also with the private sector, if the cybersecurity act as you mentioned, we have ENISA, we have a talk of an EU cyber defense agency, certainly the awareness is there.  My sense is this ebbs and flows a little bit.  We are at a particularly high peak of geopolitical tension, let's say, and I think that was well reflected in the comments at the Opening Ceremony yesterday by the UN Secretary‑General, by Angela Merkel as well.  It's a moment in which it is sort of protectionism and every man for himself.  That kind of narrative is not helpful at the minute in a time we should be pulling together and solving things on a global level and we should be trying to build trust.

So I think it's a particularly stressful moment in which some of these narratives are not helping digital serenity if read the wrong way, although Angela Merkel said translated in the wrong way it becomes more of a building walls, everybody cornering in on their own piece of turf.  That's kind of a risk.  So we need to work to continue to break down barriers, to pull together and do this on a global level and as was mentioned earlier not just looking at our own regions, but how do we interconnect.  I guess I'm an eternal optimist, so I do hope for continued progress on this front.

>> CAMILLE GUFFLET:  We I have roadmap for cyberspace.  I prefer the image of a strip.  We have a framework, we have existing international law that applies in this cyberspace, and we have complimented this framework by norms and concrete norms to be implemented for responsibility state behavior, and we further compliment this effort to have, to assess the state aids intention in confidence building measures to have cooperative efforts.  So, yes, I will say that we have at a multilateral level and now to capacity building, to efforts from the national, from national efforts, we are going towards stability, stable cyberspace.

>> NIKOLAS OTT:  In terms of takeaways for me, I think it's great that this is a fairly diverse panel.  As was mentioned I think that the IGF is sort of encouraging that kind of conversation here is phenomenal and very, very helpful.  My personal takeaways here are clearly that the capacity building angle on this work is crucial, and will play definitely a greater role and sort of a great hook for us to make sure that sort of the diplomatically agreed language is translated into concrete efforts across the world.

It also gives us a very strong sort of clear path for collaboration and I think that's something that we should focus on and hone and support, and that's something that I see also as a great potential for non‑governmental entities to really make sure that Governments, make sure that they continue to put an effort in this collaborative pot.

And then lastly, since we are talking about the broad topic of cybersecurity and IGF is about tech, but I think the panel reflected that it's very much of people.  We need to make sure that the conversation is clearly connected to the individual, to the people because trust building in the end is not done between critical infrastructure provider and their servers, but amongst representatives of these entities and the people that have worked together especially in terms of crisis.

>> MODERATOR:  Thank you.  Thank you all, I think I worry that I may be the voice of doom so I will try not to do that.  Though I feel the path forward is less than rosy.  But I think we can take from the panel and the conversation that states are increasingly aware of cybersecurity is important, they are investing in the capacity.  Hopefully that will mean that we are able to bring them all to a similar level, not that we have some that are way ahead.

I think the conversations here today also sort of made it really clear that confidence building measures irrespective of what happens on the conflict and stability online will be critical to try to rein that back in if something happens, so it's important that we invest, we work together as a community more than anything else to make sure they are implemented and trust begins to emerge across both allies, but between different stakeholder groups, between potential "enemies using," quotation marks.

But with that I want to say thank you, really, really interesting panel, interesting conversation and thank you for the audience for participating in the questions.  I will say I hope that many of you will actually make it to New York next week as well.

(Applause)